Arusha | Tokyo | Tower Hamlets

Running Windows Remote Server Admin Tools with a different account

Using a separate admin account is common on the Unix world. At Christian Aid we adopted separate admin accounts for staff in the ICT Services teams to give increased security.

One annoying thing about this is that Windows tools based in MMC don’t easily run as a different user AND with elevated permissions (confusingly referred to as Run as Administrator in the UI). We had been working around this by remoting to a server and then running the tools from there while logged in with an admin account.

That’s a bit of a pain though, right? It would be much better to just run the tools locally as the admin user. It can be done by editing the shortcut to each item in Administrative Tools like this:

runas.exe /user:DOMAIN\adminuser "cmd /c Start /B app.mmc"

Obviously adjust DOMAIN\adminuser as appropriate.

Putting the whole “normal” run command behind a cmd is necessary for some applications that require additional flags, and works for those that don’t too.

Use this approach for any application that needs to both run as a different user (and always the same user) and/or run with elevated privileges.

/savecred security hole

Anyone using this can add a /savecred flag to the runas command, which allows storage of credentials. The first time you use a shortcut like this, you’ll get asked for the users password in a command window. The /savecred flag means they will get stored in Windows Credential Manager, and you won’t need to add them all the time. That’s convenient, but it does mean if the computer and Windows account is compromised, an attacker is a click away from your admin interfaces!